PCI Data Security Standards (DSS)

Similar documents
The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Did you know your security solution can help with PCI compliance too?

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI COMPLIANCE Protecting Against External Threats Protecting Against the Insider Threat

GFI White Paper PCI-DSS compliance and GFI Software products

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

How To Comply With The Pci Ds.S.A.S

Need to be PCI DSS compliant and reduce the risk of fraud?

Introduction. PCI DSS Overview

Enforcing PCI Data Security Standard Compliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Payment Card Industry Data Security Standards.

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

New Boundary Technologies. The Payment Card Industry (PCI) Security Guide. New Boundary Technologies PCI Security Configuration Guide

Achieving Compliance with the PCI Data Security Standard

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

How To Protect Your Credit Card Information From Being Stolen

PCI DSS Requirements - Security Controls and Processes

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

How To Protect Your Business From A Hacker Attack

How To Achieve Pca Compliance With Redhat Enterprise Linux

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Payment Card Industry Data Security Standard

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Achieving PCI-Compliance through Cyberoam

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Franchise Data Compromise Trends and Cardholder. December, 2010

Becoming PCI Compliant

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Josiah Wilkinson Internal Security Assessor. Nationwide

74% 96 Action Items. Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

How To Protect Visa Account Information

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Two Approaches to PCI-DSS Compliance

PCI Requirements Coverage Summary Table

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

SonicWALL PCI 1.1 Implementation Guide

PCI DSS COMPLIANCE DATA

LogRhythm and PCI Compliance

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PCI Requirements Coverage Summary Table

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Thoughts on PCI DSS 3.0. September, 2014

PCI Compliance: How to ensure customer cardholder data is handled with care

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

PCI Security Compliance

March

PCI Data Security Standards

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Payment Card Industry Data Security Standard

Running A Fully Controlled Windows Desktop Environment with Application Whitelisting

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standard PCI DSS

Teleran PCI Customer Case Study

Payment Card Industry (PCI) Compliance. Management Guidelines

Proven LANDesk Solutions

Guide to Vulnerability Management for Small Companies

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Accelerating PCI Compliance

PCI Compliance for Cloud Applications

Passing PCI Compliance How to Address the Application Security Mandates

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

PICO Compliance Audit - A Quick Guide to Virtualization

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

How Reflection Software Facilitates PCI DSS Compliance

The Comprehensive Guide to PCI Security Standards Compliance

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Is the PCI Data Security Standard Enough?

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

CorreLog Alignment to PCI Security Standards Compliance

Presented By: Bryan Miller CCIE, CISSP

Conquering PCI DSS Compliance

Transcription:

ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants and their partners has evolved, card fraud has become more sophisticated. Any business that stores or transmits cardholder account data is a potential target, and recent data indicates that 4 out of 5 cardholder breaches occur at the point of sale. In response to this evolving threat, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) have created a set of security standards to protect their customers from security breaches and identity theft. What are the PCI Data Security Standards? The Payment Card Industry Data Security Standards (PCI DSS) includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. By following the standardized, industry-wide procedures of PCI DSS, organizations can: Protect their customers personal data. Boost customer confidence through a higher level of data security. Insulate themselves from financial losses and remediation costs. Maintain customer trust and safeguard the reputation of their brand. Provide a complete health check for any business that stores or transmits customer information. The Pressure to Comply Retailers are under heavy pressure to comply with PCI, and it does not look like that will ease any time soon. If anything, the payment industry is more intent on enforcement than ever before. And while only a third of the largest companies were considered compliant at the end of 2006, that number is expected to grow to between 50% and 75% by the end of 2007, with smaller companies following suit. As of June 30, 2007, the PCI Data Security Standards are scheduled to be enforceable. This means that companies who are not compliant with the standard could face financial penalties. At an expected rate of $10,000 to $100,000 per month, these fines will place a heavy burden on organizations that have not complied. PCI Data Security Standards (DSS) Learn More >See a product demonstration > http://www.bit9.com > Browse our resource library > http://www.bit9.com/resources > Watch a recorded webinar > http://www.bit9.com/webinars > Contact Bit9 today! > http://www.bit9.com/contactme Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security Facts About Data Protection Recent data indicates 4 out of 5 cardholder data breaches occur at the point of sale. As of October 2006, only about one-third (100) of the largest (Level 1) retailers were compliant with the PCI standard. Fines for non-compliance with PCI range from $10,000 a month to $100,000 a month depending on circumstances.

ENTERPRISE APPLICATION WHITELISTING Achieving PCI Compliance at the Point of Sale () Protecting Data Where It s Most Vulnerable The PCI Data Security Standards are designed to thwart identity theft and fraud by establishing controls around how customer data is handled within a company s information architecture. These guidelines place requirements on systems that stretch from the central data repository all the way to the point of sale. As companies work their way through these guidelines, many are discovering their greatest exposure is at the endpoint. PCs deployed in the field, at stores and retail outlets, and at remote locations are more susceptible to hackers and malicious software. Computers in stores are often used for many different purposes not just transactions and therefore need to provide access to a wider group of individuals. These PCs are frequently offline making centralized patching or auditing difficult, and other systems management processes are hindered by the simple lack of on-site IT resources. All of this creates a difficult environment for establishing security. Whitelisting: Ease the Security Burden Let s face it your store employees are just not data security experts. Your security policies must be simple if you want them to be implemented effectively. This will make it easier for both your field staff and your central IT department to achieve your compliance requirements. Bit9 protects data at these endpoints where it is most vulnerable by locking down PCs to a standard software configuration known as a whitelist. Any and all unauthorized software is prevented from running and access to personal storage devices is brought under control. Malware, spyware, and rogue applications and devices are all blocked to ensure the integrity of the computer and its critical data. Because this whitelist is controlled centrally, your PCs can not be modified in the field. And your store personnel never need to be given responsibility for complex IT tasks xuch as updating signatures, patching systems, or manipulating security configurations. How Bit9 Helps You Comply with the PCI Data Security Standards Here s how Bit9 addresses the PCI Data Security Standards. Build and Maintain a Secure Network 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). 2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function). 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. By controlling the installation and execution of software, systems are prevented from drifting from their desired state. From a central console, vulnerable software can be centrally identified, making it easy to prioritize patch activity. By creating a whitelist of approved software, Bit9 ensures only approved services and software are allowed to run on any Windows-centric device. By creating a whitelist of approved software (scripts, drivers, subsystems, web applications), Bit9 ensures only approved services and software are allowed to run on any Windowscentric device.

How Bit9 Helps You Comply with the PCI Data Security Standards () Maintain a Vulnerability Management Program 5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers). 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. Bit9 blocks any software that is not pre-approved to run. A cryptographic hash (a unique identifier) is taken for each new file that is written to disk. Before this file is allowed to run, the hash is created and then compared to a list of approved hashes that were created by an automated software approval process. If the hash is on the list of approved hashes, the file is allowed to run. If the hash is not on the list of approved hashes, it is completely blocked from execution. If a file is changed, it changes the cryptographic hash for the file and because the hash is no longer on the list of approved hashes, it too will not run. While there are obvious benefits to Bit9 s approach to preventing viruses, spyware, and adware, there are also significant benefits from preventing illegal and unlicensed software from running. Unlike traditional anti-virus solutions that need constant signature updates to stay effective, Bit9 s non-signature antivirus approach continuously blocks all unwanted software without the burden of keeping signature files up to date. Ultimately, Bit9 s non-signature antivirus approach eliminates zero-day attacks. Because Bit9 has a software inventory of all software currently installed on Windows computers, a Bit9 user can centrally identify the presence or absence of vendor-supplied security patches. 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. Installing an application layer firewall in front of web-facing applications. Every new file is looked up in the Bit9 ParityCenter knowledgebase of more than 2 billion file records and hundreds of thousands of known vulnerabilities to determine the threat level of the newly discovered software. Bit9 ParityCenter is updated daily with legitimate and potentially malicious software. Bit9 has the ability to act as an application firewall on web-facing applications. Any new application or program that is not pre-approved is blocked from installing or executing. This ensures the highest levels of system and application security. This whitelisting approach is the safest way to ensure only approved software is allowed to run.

How Bit9 Helps You Comply with the PCI Data Security Standards () Implement Strong Access Control Measures 7.1 Limit access to computing resources and cardholder information only to those individuals whose jobs require such access. 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. Portables storage devices can be an easy source of data leakage and loss. Bit9 can set controls on the ability to read/write/execute software on portable storage devices, preventing information leakage and accidental loss of sensitive, confidential information. When a user logs into a system, the user will be restricted to run only the applications that have been pre-approved. All other applications will be restricted from use based on the user s policy and need to know. Bit9 s device control policies ensure only authorized staff are allowed to copy cardholder data to portable storage devices, helping to control the distribution of cardholder data. Bit9 s device control policies ensure only authorized staff and computers are allowed to copy cardholder data to portable storage devices, controlling the storage, accessibility, and portability of confidential information. 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Installing an application layer firewall in front of web-facing applications. 11.6 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files and configure the software to perform critical file comparisons at least weekly. To prevent malicious software, every executable that is introduced (downloaded/installed/copied) to a Windows computer is tracked to a specific user on a specific computer. To prevent data leakage, every file (executable or data file) that is copied to and/or from a portable storage device is tracked to a specific user on a specific computer. Bit9 will log all activity related to new software and alert should an application begin to propagate across a number of computers over a time period. All new applications that get written to a system get logged and then compared to the Bit9 ParityCenter knowledgebase of 2 billion database records to gauge the threat level of the file. With Bit9, only approved software is allowed to run. Should a hacker tamper with the bits of an application, it would change the cryptographic hash of the file and therefore render the new application inoperable. Ultimately, this protects hackers from tampering with applications to make them perform malicious activity.

How Bit9 Helps You Comply with the PCI Data Security Standards () Maintain an Information Security Policy 12.5.5 Monitor and control all access to data. Data leakage is a serious problem and difficult to control. Only approved users should have access to data. By controlling who can and cannot read/write data to portable storage devices, a layer of control is added to prevent data leakage. Malicious applications and spyware can also gain unauthorized access to data. Bit9 allows only approved software to run and malicious software is therefore unable to gain access to confidential information. To learn more about how Bit9 can help your organization become PCI compliant, contact us at 617.393.7400 or contact@bit9.com. About Bit9, Inc. Bit9, Inc., the leading provider of application and device control solutions, centrally controls which applications can and cannot run. Bit9 s award-winning, patent-pending technology delivers the easiest and most effective way to achieve Windows lockdown, enabling IT professionals to realize the highest levels of desktop security, compliance, and manageability. Founded in 2002 by the founders of Okena (acquired by Cisco Systems (NASDAQ: CSCO)) and headquartered in Cambridge, Massachusetts, Bit9 is a privately held company. For more information, visit www.bit9.com. 2008, Bit9, Inc. All Rights Reserved. Bit9, Inc., Automatic Graylists, FileAdvisor, Find File, Parity, and ParityCenter are trademarks or registered trademarks of Bit9, Inc. All other names and trademarks are the property of their respective owners. Bit9 reserves the right to change product specifications or other product information without notice. Bit9, Inc. 266 Second Ave. Waltham, MA 02451 p: 617.393.7400 f: 617.393.7499 www.bit9.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information